Ciaran McCreesh wrote:
On Thu, 03 Apr 2008 14:29:10 +0200
Patrick Lauer <[EMAIL PROTECTED]> wrote:
Nope. In fact, using such a system, there are ways of getting in
code that doesn't get triggered until someone's key gets
invalidated.
By this reasoning you shouldn't use passwords ...
The idea is to limit the attack vectors and make simple attacks much
harder. A sophisticated "hacker" could just rent a busload of angry
serbians, kidnap 12 developers and force them to do some subtle
changes in many places. But is that likely to happen?
No no. The point is, there's no effective technological way of
preventing malicious developers from using the tree to screw over end
users. Signing isn't designed to and can't prevent that class of
attack (and nor can it protect against compromised end user systems).
What it *can* do is reduce the amount of damage done by a compromised
rsync server.
So then we should at first focus the discussion on a few things:
- what classes of attackers are there
- what defense mechanisms we can use
- what the costs (complexity, time, extra code) of each defense is
and then, from that design space, select the option(s) that have the
best behaviour. If you get bored you can read the not-yet-GLEPs robbat2
has written with the help of a few others, which would cut out a large
part of the discussion:
http://viewcvs.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/
That's exactly the thing under discussion -- the design of the system
necessitates trust in both the main repository and the end user system,
and signing does absolutely nothing to help there. No-one is suggesting
that anyone from infra is going to do anything to utterly screw over
Gentoo for petty personal reasons.
But if you don't trust anyone there is no reason why you would even try
to interact with Gentoo. So at some point you will have to decide to
arbitrarily trust a few entities, be it devs or servers or cryptographic
keys ...
--
gentoo-dev@lists.gentoo.org mailing list
